FileVault Security Compromised with Compressed Air

A chilling story broke on 21-Feb-08, and please excuse the pun: Researchers from Princeton University, the Electronic Frontier Foundation, and elsewhere revealed research [1] that disk-encryption software used by and with major operating systems - including Mac OS X's FileVault - can be defeated if you have physical access to a running computer and, in the easiest example, a can of compressed air. You can download their entire research paper [2] (PDF).

The researchers discovered that the dynamic random access memory (DRAM) chips used to store running programs and data while a computer is active maintain an image of their contents for seconds to minutes after power is removed. Using relatively simple techniques to cool DRAM, ranging from discharging an inverted compressed-air canister (temperatures as low as -50 degrees C) to using liquid nitrogen (-196 degrees C), maintains the data longer.

This persistence is important because while an encrypted disk image is active, the master encryption key is stored in memory. It was previously thought that this storage had few vectors of exploitation: a machine that had a targeted virus might be able to extract and transfer the key, but even that was a bit dubious with well-designed software, and no such viruses have been reported for Mac OS X or Windows Vista.

If a ne'er-do-well had physical access to a machine, you might think, that person would also have access to the disk for which the encryption keys are loaded. But if the computer is sleeping or using a secured screen saver, and if it's set to require a password to bring back to life, this research shows that keys can be extracted even when the machine is otherwise thought to be safe. A stolen computer or one that's thought to be safely locked is now vulnerable.

The researchers discuss using a USB flash drive with an operating system and forensic tools installed to reboot the computer while retaining the memory image in RAM. The booted system can then scan for and extract encryption keys. Or, if the DRAM chips are fully frozen, they can be removed from the computer and installed in another system without losing much, if any, data.

The stored keys might not be unique to one disk's encryption or one purpose, too, making the breach of one system more troublesome. Even more interesting, if the "break in" were performed well, it's possible that a victim would be unaware - they might think their computer had just crashed in their absence unless the machine were left disassembled. (One expects that the FBI was already aware of this weakness; they already know how to keep continuous power to a computer plugged into the wall by unscrewing the wall outlet and attaching a UPS via clips to the live wires.)

The solution to this problem is a requirement for two-factor methods of authentication [3], in which possession of the encryption key has to be coupled with another piece of information, such as a hardware encryption device that generates codes that must be entered in combination with the key to gain access (RSA SecurID SID800 Token [4] pictured below). Those devices are typically carried by individuals, and thus without kidnapping or use of physical threat, security could be maintained. (Two-factor authentication is readily available these days: I have a fob from PayPal [5] that I
use to confirm my eBay and PayPal logins. It's free for business accounts, and $5 including shipping and handling for personal accounts.)

[image link] [6]

What does this mean for the average user? Realistically, your disk-encryption software is just as secure as it always was. It's unlikely that you're being monitored by a hostile government, organized crime cartel, or James Bond's villains, or even by more ordinary criminals who want your private data and have the technical chops to implement this security exploit. That said, one thing you can do to increase the security of your system is set your keychain password to something different from your login password. The researchers discovered that Mac OS X 10.4 Tiger and 10.5 Leopard keep multiple copies of the login password in memory, and most people use their login passwords to access the keychain, which in turn often stores passwords
for FileVault and other secured services. See Joe Kissell's "Take Control of Passwords in Mac OS X [7]" for details on Apple's keychain and how to separate your keychain and login passwords.

But the researchers point out that many of the systems used by financial institutions and others who maintain secure operations use disk encryption to prevent unauthorized access. Luckily, many of these institutions do require two-factor authentication, and have other physical security mechanisms in place to prevent access to computers, including locked computer cases. Those who do not should add such precautions.

The most troubling aspect of this research is that the group found unquestioned assumptions about how DRAM works and the security of disk encryption keys. With those questions now posed and answered, operating systems and other security software will have to be revised and strengthened to eliminate or at least reduce this chilly vulnerability.